RE: Ros: Re: enhanced security for Linux, from Stephen Smalley

RE: Ros: Re: enhanced security for Linux, from Stephen Smalley

[Badger, Lee]

Casey,

I have to strongly disagree.

> Unfortunately, I see no way that the industry can take
> advantage of it. We've been pushing B1 (now LSPP) as the
> ultimate COTS security solution since the late 1980's
> and we're not going to drop that investment any time

As one of the creators of Domain and Type Enforcement (DTE), I have to
tell you that type enforcement is pretty different from MLS.  It is
highly configurable.  It allows us to trust but still confine programs
that must generate high-integrity data, or that must write "down" in
the sensitivity lattice.  It allows us to sandbox critical processes
in highly restrictive access control environments while leaving most
of the other processes unaffected.  It can support Biba, and
Clark/Wilson style integrity policies.  It can support notions such as
controlled execution.  It can of course support assured pipelines.
These are all capabilities that are natural for Security-Enhanced
Linux (SELinux), and that are very important for commercial
applications, but which are difficult, at best, with B1-like systems.
The confidentiality lattice just wasn't designed with these things in
mind.

I see many ways that industry can use these capabilities.  Just
consider any web farm.  Any 24x7 server.  Any organization that uses
servers that could be penetrated externally (e.g., the buffer overflow
attacks documented by CERT).  SELinux can and should also be applied
within organizations.  Firewall perimeters are getting weaker, and
there is an increased need to harden all host systems.  The label
lattice of the orange book doesn't help much there, but a system like
SELinux provides a very appropriate set of tools for applying access
controls so as to appropriately harden interior systems.  This makes
lots of sense for servers, today.  Client workstations are harder to
configure, but, ultimately, this approach may help there as well.

> throw that away, even for a vastly superior technology
> (Hey! I *AM* Dilbert's Boss!) which DE does not appear
> to be.

I would not claim superiority for SELinux in the area of
confidentiality or in the area of general assurance.  But for
integrity and flexibility and the ability to support confinement
policies of interest to commercial customers (i.e., like confining
those CGI scripts), SELinux provides a _much_ more useful set of tools
than Orange Book systems.  For these kinds of problems, SELinux
deserves a close look.  It has different goals from those of the
Orange Book, and is not an equivalent to B1.

Lee

Lee Badger
Chief Scientist
NAI Labs, Network Associates
443.259.2382 voice
301.854.4731 fax
lbadger@nai.com


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Ros: Re: enhanced security for Linux, from Stephen Smalley

[Casey Schaufler]

"Badger, Lee" wrote:
> 
> Casey,
> 
> I have to strongly disagree.
> 
> > Unfortunately, I see no way that the industry can take
> > advantage of it. We've been pushing B1 (now LSPP) as the
> > ultimate COTS security solution since the late 1980's
> > and we're not going to drop that investment any time
> 
> As one of the creators of Domain and Type Enforcement (DTE), I have to
> tell you that type enforcement is pretty different from MLS.

Which is my point. We have been selling MLS. We will continue
selling MLS. New technology, even if it's better, will take
some time to develop in the marketplace.

> ... It can support Biba ...

So does Trix. So will MLS Linux.

> ... It can support notions such as controlled execution.

Ever look at UNICOS PALs ?

> These are all capabilities that are natural for Security-Enhanced
> Linux (SELinux), and that are very important for commercial
> applications, but which are difficult, at best, with B1-like systems.

These are things that MLS systems can do. I dispute your
conclusion. I have customers doing many of these things,
as well as other clever configurations.

> The confidentiality lattice just wasn't designed with these things in
> mind.

The confidentiality lattice is to system security what
Froot Loops are to a nutritious breakfast.

> I see many ways that industry can use these capabilities.  Just
> consider any web farm.  Any 24x7 server.  Any organization that uses
> servers that could be penetrated externally (e.g., the buffer overflow
> attacks documented by CERT).

All applications to which a system with MLS and least privilege
can and have been applied.

> SELinux can and should also be applied
> within organizations.  Firewall perimeters are getting weaker, and
> there is an increased need to harden all host systems.  The label
> lattice of the orange book doesn't help much there, but a system like
> SELinux provides a very appropriate set of tools for applying access
> controls so as to appropriately harden interior systems.

The Orange Book lattice is perfect for hardening interior systems.
Our biggest Trix customers use the system for that purpose.

> > throw that away, even for a vastly superior technology
> > (Hey! I *AM* Dilbert's Boss!) which DE does not appear
> > to be.
> 
> I would not claim superiority for SELinux in the area of
> confidentiality or in the area of general assurance.

OKay.

> But for
> integrity and flexibility and the ability to support confinement
> policies of interest to commercial customers (i.e., like confining
> those CGI scripts), SELinux provides a _much_ more useful set of tools
> than Orange Book systems.

I believe your claim to be unfounded. Your example of confining
CGI scripts can be addressed with B&LaP, Biba, or both. I question
your claim that the "tools" available are superior. Certainly
the industry experiance with MLS systems has created a knowledge
base of problem solutions far in excess of what exists for DE.

> For these kinds of problems, SELinux
> deserves a close look.  It has different goals from those of the
> Orange Book, and is not an equivalent to B1.

Which, again, was my point. Beware the notion that B1 can't
solve the problems DE can, and that DE will be accepted where
B1 wasn't. MLS system are gaining acceptance. Thus we work
toward MLS in Linux. As a vendor I'm out to sell systems. If
there were evidence that DE would outsell MLS I'd be happy
to jump on the bandwagon.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey@sgi.com				voice: 650.933.1634
casey_p@pager.sgi.com			Pager: 888.220.0607

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Ros: Re: enhanced security for Linux, from Stephen Smalley

[Nelson Rush]

>> The confidentiality lattice just wasn't designed with these things in
>> mind.
>
>The confidentiality lattice is to system security what
>Froot Loops are to a nutritious breakfast.

Fruit loops has more vitamins than Cocoa Puffs or Wheaties or HoneyComb
cereal, less calories than Raisin Nut Bran or Waffle Crisps, no cholesterol,
and less sodium than Cap'n Crunch Peanut Butter Crunch.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Ros: Re: enhanced security for Linux, from Stephen Smalley

[Casey Schaufler]

Nelson Rush wrote:
> 
> >> The confidentiality lattice just wasn't designed with these things in
> >> mind.
> >
> >The confidentiality lattice is to system security what
> >Froot Loops are to a nutritious breakfast.
> 
> Fruit loops has more vitamins than Cocoa Puffs or Wheaties or HoneyComb
> cereal, less calories than Raisin Nut Bran or Waffle Crisps, no cholesterol,
> and less sodium than Cap'n Crunch Peanut Butter Crunch.

It doesn't matter which it is, so long as the kids eat
(the good part of) breakfast before they go off to school.
Similarly, I can help an installation meet their security
needs by providing the security feature, in this case the
confidentiality lattice, which they've screamed and yelled
and threatened to hold their breath until the turn blue
if they can't have it.

Sorry for the obscure comparison. I do that sometimes.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey@sgi.com				voice: 650.933.1634
casey_p@pager.sgi.com			Pager: 888.220.0607

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Ros: Re: enhanced security for Linux, from Stephen Smalley

[Nelson Rush]

Casey Schaufler wrote:
>It doesn't matter which it is, so long as the kids eat
>(the good part of) breakfast before they go off to school.
>Similarly, I can help an installation meet their security
>needs by providing the security feature, in this case the
>confidentiality lattice, which they've screamed and yelled
>and threatened to hold their breath until the turn blue
>if they can't have it.
>
>Sorry for the obscure comparison. I do that sometimes.

Good points.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.